Congress is trying to repeal online privacy rules, and we're trying to stop them--but we need your help today! AMA!

Let's say that they do this, that they pass the bill and ISPs and other providers will be able to sell your data to advertisers and the like.

Will health insurance companies be able to buy specific user's information? Would your employer be able to buy your data? Or would they just blanket buy data from a certain area to figure out where to hike premiums if you're living in a market where everyone is buying pizzas and posting ads on craigslist for illicit drugs?

Your Internet provider could definitely sell your data individually. (Though to be perfectly honest, they're unlikely to--they see the info they amass on you as their secret sauce, and they're unlikely to want to let it get out, because then they can't keep making money off of it.)

What, if any, effect would this have on people outside of the US? Is there anything non-US internet users can do?

Fortunately, the rules will only affect U.S. Internet providers like Comcast, Cox, or Time-Warner and their customers.

The best thing non-U.S. Internet users can do right now is drum up attention. Obviously non-U.S. Internet users can't call their congressperson, but by tweeting about this issue or posting it to social media--especially the following link, which people can use to call their congressmember https://act.eff.org/action/don-t-let-congress-undermine-our-online-privacy --you can raise awareness, and get more people in the U.S. to see what's going and call their lawmakers.

And of course, if you have any friends in the U.S., tell them directly!

We still have a shot at killing this thing, but only if we melt Congress's phone lines on Monday.

What does the mean for the average internet user?

If the repeal passes, it'll mean three things. First, it'll mean that your Internet provider will be able to spy on your traffic and sell your data to marketers--so all the creepy tracking you already see online will get turned up to eleven.

Second, it means you might see a lot more ads, including ads you won't be able to block. (That's because current adblockers block ads by blocking data from specific domains. Your Internet provider could insert the ads directly into your traffic, making it much, much harder to block the ads.)

Third, it means your security is going to get a lot worse. Internet providers have "accidentally" published personal information that wasn't supposed to before, and there's no reason to think their security is going to get any better. In fact, they recently succeeded in killing a rule that would have required them to take "reasonable" security precautions to protect your data.

And by injecting ads, Internet providers could break the websites you view--including their security features.

Can you address ISPs’ unique gateway role for everyone's internet access? Why is using this privileged position to monitor and even alter peoples’ web traffic especially harmful?

Great question!

A lot of the FUD Internet provider lobbyists are spreading about why this repeal is necessary revolves around the myth that the privacy rules put Internet providers at an unfair disadvantage when compared to Internet companies like Google who can profit off of consumers’ data.

But Google doesn’t see everything you do on the Internet (neither does Facebook, for that matter, or any other online platform)—they only see the traffic you send to them. And you can always choose to use a different search engine if you want to avoid Google’s tracking. None of that is true about your Internet provider. You probably only have one, maybe two options when it comes to broadband Internet, and your Internet provider sees everything—they have to, in order to send your traffic to the right place. That’s why we need the FCC’s privacy rules: Internet providers can see and alter all of your traffic, which gives them power that no other company has over your connection--and they've shown they're willing to abuse that power.

Plus, if you’re worried about creepy third-party tracking online, you can use free tools to protect yourself; the only way to protect your privacy from your Internet provider is to pay for a VPN or use Tor.

What can a person do to protect his or her privacy if these rules are repealed?

There are really only two things you can do: subscribe to a VPN, or use Tor. The annoying thing is that VPNs cost money, and Tor users still encounter a lot of captchas.

A bonus third option, if you're lucky enough to have actual competition in broadband providers, is switch to a provider that values your privacy. Several small ISPs have ripped into lawmakers for repealing these rules, so if you have a small, local ISP, consider supporting them!

Can a group of people valuing their privacy get together and become their own ISP? Would it be better for privacy?

Unfortunately, starting your own ISP is tough. Some cities have tried to start their own broadband networks, but companies like Comcast and Verizon have successfully managed to lobby a lot of state legislatures to enact anti-competitive bans.

With that said, [if you're really serious, it's worth a shot--but it's definitely a huge] undertaking(https://www.eff.org/deeplinks/2014/06/neutrality-begins-home-what-us-mayors-can-do-right-now-support-neutral-internet).

Is there any reason why they are trying to pass this law? Any specific reason?

Primarily because ISPs see their customers' data as a gold mine, and they want to make even more money off their customers.

Does the bill specify what information an ISP can sell? Does it include personally identifiable information?

The short answer is: yep, ISPs could sell personally identifiable information if they wanted.

The long answer is that technically, the repeal would just roll back rules that protect your info. This includes PII, but also:

(1) financial information; (2) health information; (3) information pertaining to children; (4) Social Security numbers; (5) precise geo-location information; (6) content of communications; (7) call detail information; and (8) web browsing history, application usage history, and the functional equivalents of either.

So if the repeal succeeds, ISPs could share all of that information.

What can we do to oppose this if we live in a blue district? Barbara Lee is my representative.

Do you have any friends or family in red districts? If so, call them and tell them to call their representative! (https://www.eff.org/deeplinks/2017/03/five-ways-cybersecurity-will-suffer-if-congress-repeals-fcc-privacy-rules)

And if nobody you know lives in a red district, just making noise about it on social media can help raise awareness.

If this awful bill passes, could I somehow buy Donald Trumps web browsing history?

It is very unlikely that you could buy specific user information, it seems more likely that aggregated and anonymized usage information would be sold. But if there were a data breech, who knows what raw usage information carriers might be collecting for sale that could be hacked and leaked.

If that were to occur, one would hope at least for notification, but not all states have strong laws on notification, and it's not clear if browsing information would qualify as sensitive information subject to notification disclosure.

It's also worth noting that aggregated data, supposedly without identifying information, can sometimes be tied back to individuals. See for example NYC taxi usage by celebrities and a study revealing that de-anonymization could be accomplished using Netflix movie rating data.

In summary: anonymization is hard, and subject to obscure attacks.

I'd also point out that while you may not be able to buy his browsing history, this sort of information will become a very tempting target for hackers--so it could leak. Just think of all the data that got leaked from the OPM leak--and now add browsing history to the breach.

We've also seen Internet providers accidentally publish private information before--no hacking necessary!

What about people who rent their router or modem from their ISP? Will ISPs be able to use the hardware to deliver ads? For example, like when you connect to free public wifi at a coffee shop and must agree to their TOS, then get directed to a page where you are barraged with a bunch ads. (So basically, you'll have to view ads each time you want to use the internet before you can continue to the site you wanted to view.)

ISPs would be able to insert ads/spy on your unencrypted traffic even if you don't rent your router/modem from them! All they'd have to do is modify your traffic upstream. So yeah, it could be a case where you have to view ads whenever you want to use the Internet (or more likely, you'll just see more ads that will be a lot harder to block).

Who, specifically, is working on a legal injunction against any such release of data? In what state, and would it apply federally, or is that only a convention? Could an ISP closely allied to a political view find a way to 'sell' (or just give) the data to its political friends' campaigns, even under such an injunction? Is the question of who actually owns the data not settled in California (in favor of the user)?

Courtesy of @EFFFalcon:

Who, specifically, is working on a legal injunction against any such release of data?

In order to file an injunction you need a legal right that is being violated. Repealing the privacy rules and effectively gutting the agency from enforcing its privacy authority over an ISP may result in you not having a legal right in the first place. That being said, lets stop this vote first so we don't have to fight it in the courts.

https://act.eff.org/action/don-t-let-congress-undermine-our-online-privacy

In what state, and would it apply federally, or is that only a convention?

Congress would repeal the federal rules so state AGs and Public Utility Commissions can still enforce their own rules (provided they weren't completely deregulated). California for example has prohibited its PUC from overseeing industries that use Internet Protocol. Industry argued that they were already regulated at the federal level. This is having your cake and eating it too.

Could an ISP closely allied to a political view find a way to 'sell' (or just give) the data to its political friends' campaigns, even under such an injunction?

See above on injunction question. In terms of ISPs favoring candidates, its plausible though it would run into issues if they give below market rate gifts as essentially campaign contributions without accounting it. The other likely scenario is campaigns with lots of money will have the advantage of exploiting the sensitive data for hyper targetted political ads.

Is the question of who actually owns the data not settled in California (in favor of the user)?

California has a handful of privacy laws that regulate industry practices in terms of disclosure, data breach, and 4th amendment protections. The ISP industry though is arguably free from most state regulation when the state legislature was convinced to eliminate the Public Utilities Commission authority at the behest of the ISPs (sort of like what is happening now in Congress).

Also add for last question, also the 9th Circuit ruled for AT&T (FTC v AT&T Mobility) in finding that the Federal Trade Commission is barred from disciplining common carriers (your ISP). That binds California and a handful of other western and mountain west states.

What is the likelihood of this passing in the house? Which reps are swings on this issue to target?

We're trying to target the following reps:

• AL-02 – Martha Roby

• AR-02 – French Hill

• AZ-02 – Martha McSally

• CA-10 – Jeff Denham

• CA-21 – David Valadao

• CA-25 – Steve Knight

• CA-39 – Ed Royce

• CA-45 – Mimi Walters

• CA-48 – Dana Rohrabacher

• CA-49 – Darrell Issa

• CO-03 – Scott Tipton

• CO-06 – Mike Coffman

• FL-18 – Brian Mast

• FL-25 – Mario Diaz-Balart

• FL-26 – Carlos Curbelo

• FL-27 – Illeana Ros-Lehtinen

• GA-06 – Tom Price

• IA-01 – Rod Blum

• IA-03 – David Young

• IL-06 – Peter Roskam

• IL-13 – Rodney Davis

• IL-14 – Randy Hultgren

• KS-02 – Lynn Jenkins

• KS-03 – Kevin Yoder

• KY-06 – Andy Barr

• ME-02 – Bruce Poliquin

• MI-07 – Tim Walberg

• MI-08 – Mike Bishop

• MI-11 – Dave Trott

• MN-02 – Jason Lewis

• MN-03 – Erik Paulsen

• NC-08 – Richard Hudson

• NC-09 – Robert Pittenger

• NC-13 – Ted Budd

• NE-02 – Don Bacon

• NJ-02 – Frank LoBiondo

• NJ-03 – Tom MacArthur

• NJ-07 – Leonard Lance

• NJ-11 – Rodney Frelinghuysen

• NY-01 – Lee Zeldin

• NY-11 – Dan Donovan

• NY-19 – John Faso

• NY-22 – Claudia Tenney

• NY-24 – John Katko

• NY-27 – Chris Collins

• OH-01 – Steve Chabot

• OH-07 – Bob Gibbs

• PA-06 - Ryan Costello

• PA-07 – Pat Meehan

• PA-08 – Brian Fitzpatrick

• PA-16 – Lloyd Smucker

• TX-07 – John Culberson

• TX-23 – Will Hurd

• TX-32 – Pete Sessions

• VA-02 – Scott Taylor

• VA-10 – Barbara Comstock

• WA-03 – Jaime Herrera Beutler

• WA-08 – David Reichert

• WV-02 – Alex Mooney

If we can get 2/3 of those to not vote on straight party lines, then we can kill it. So it's an uphill battle, but if we get enough calls in we can win it.

Sorry if this question sounds silly but if this bill is passed and the ISPs start to snoop on every single thing we do, how would we be able to protect ourselves? I assume that VPNs won't be enough since they will be able to possibly have a new TOS which say that encryption is now forbidden?

Finding another ISP, or a trustworthy VPN would be the only way to avoid your current carrier.

It is also likely that your current ISP would offer an "opt-out", but I would suggest that on principal you should shop around for a carrier with better policies instead!

To build on Dane's point, I think it would be hard for Internet providers to ban VPNs altogether (since a lot of companies require telecommuters to use VPNs to work from home). So VPN is definitely one way you could protect yourself. (But of course that costs money, and you're just shifting your trust from your Internet provider to your VPN provider.)

Also Tor, but Tor suffers from the Cloudflare/captcha problem, which makes browsing hard sometimes. (Although they're working on a fix.)

If this bill passes, will my ISP be able to sell previously collected data (e.g., my google searches from the last 3 years?) Or will this only effect data collected going forward?

Answer courtesy of @EFFFalcon:

The rules have not taken effect yet, but if we can kill this thing and they do take effect then the answer is a clear no.

Prior to the rules, it is unclear to what extent they can do this without violating Section 222 of the Communications Act. Whenever the law is unclear, we've seen ISPs try to push the limits and wait until they are disciplined by the law. Because the privacy rules lacked clarity until the recent FCC update it is plausible they were not collecting that data long term because of costs and unclear legal path to profit from it. They could also have been collecting it and trying to use it in ways that potentially violate the law. One thing is clear, if Congress repeals the privacy rules through this process, they will assuredly try to maximize their profits from your information if they have it as the law will be tilted in their favor.

Can you explain the background a little bit more? On the face of it, I agree with these rules, but as you point out they were only passed last year. If these rules are so great, why did the Obama administration wait until the very end of its 8-year term to put them in place?

Were ISPs using and selling data in the way you warn about, before these rules passed (i.e., the entire history of the Internet)? If not, why not, and why would they start now?

Thanks

Broadband internet access last year was classified as a telecommunications service, which was key to being able to put rules in place to protect consumer privacy. Wheeler's FCC took a couple passes at this issue, which was critical also to the network neutrality issue.

ISPs have demonstrated a willingness to partner with entities like Nebuad and Phorm, who allowed carriers to tap into the revenue stream for advertising. See also a rogue's gallery of ISP behaviors, somewhat dated, but my article "The Five Levels of ISP Evil" is worth reading in the context of your question about past behaviors.

Yeah--a big part of this is that the federal government moves slowly sometimes. It took six years for the FCC just to get to a point where they could even pass privacy rules in the first place (which first involved reclassifying Internet providers as common carriers), and then another year to draft up privacy rules. So this has been in the works for seven years. http://whatisnetneutrality.org/timeline is a great timeline of the process.

And yes, some ISPs have already started doing the sorts of things we're worried about. (See https://www.eff.org/deeplinks/2017/03/five-creepy-things-your-isp-could-do-if-congress-repeals-fccs-privacy-protections ). Some of them stopped because the FCC intervened before establishing these rules, but because of the way congress wants to repeal the FCC's rules, the FCC might not have the same authority to curtail the ISPs' behavior in the future.

As we have seen, they are all Republicans. I can call my hill critters but they are Democrats and voted no already. Everything that I can do is done. We really CAN'T stop them in their tracks. Dems have no control and are working over time on other things. The head of the FCC is a corporate monkey. You would need mass calls to repub critters and a bunch of money to throw at them to stop them so... What can really be done? How can I, as someone in a blue state that is already voting no, do?

I think the biggest thing you could do is if you have any friends in red districts, hound them to call their rep today.

https://act.eff.org/action/don-t-let-congress-undermine-our-online-privacy

Is there anything in the bill to prevent a person's history from being shared after it is sold?

For example, is there anything preventing a company that buys these browsing histories from making them public?

It's a chilling thought. Thanks for everything you're doing, and for answering our questions.

No, the repeal bill doesn’t try to do that (or anything else to protect privacy in place of the FCC's rules). There are some privacy protections in the underlying federal statute, but we don’t know how much of the statute will actually be usable if the rules are repealed.

So yeah, it's a chilling thought.

What date and time is the House voting on this?

Today, 3/28/2017, probably shortly after 12pm eastern time.

I don't think this is a fight we're going to win. Honestly I'm fully expecting to wake up tomorrow and read how the rules were repealed along party lines. Republicans for the most part vote in lockstep. I called when the senate version was being voted on and my senators ultimately voted in favor and the FCC is clearly in favor of having the rules eliminated.

My question is, what can we do to plan for the future on this issue? Lobby until we can get an FCC willing to try again? Craft sample legislation that tries to sound different and accomplish the same goal?

I'm optimistic--we've driven a TON of calls to Congress today.

But if we don't win, our next target (which is admittedly a bit of a hail mary) is the President. And if it does go through, then we would have to wait until a political environment that's friendlier to privacy arrives.

And in the mean time, there are still other ways to fight. We can work at the state level. We can name and shame ISPs. We can encourage broadband competition. And we can work on tech tools to help people maintain their privacy (like making Tor easier to use, getting it more mainstream acceptance, and fixing the captcha issues).

So even if lose, this definitely won't be the end.

Does HIPPA not apply to health information collection? What level of PHI will they be able to collect? Side note - I want to plug the EFF tool for calling congress on this topic: https://act.eff.org/action/don-t-let-congress-undermine-our-online-privacy

IANAL, but HIPPA only applies to "covered" entities, which usually means only healthcare providers/insurance companies. So anyone else who collects health-related info isn't covered by HIPPA.